Werk #15194: Fix command injection via RestAPI / Password Store

Component Core & setup
Title Fix command injection via RestAPI / Password Store
Date Aug 2, 2023
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.0.0p38 2.1.0p32 2.2.0p4 2.3.0b1
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site.

This issue was found during internal code review.

Affected Versions: * 2.0.0 * 2.1.0 * 2.2.0 prior to version 2.2.0p4

Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889.

Indicators of Compromise: Check the password store for passwords with unusual identifiers, review add-password events in the audit log.

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We have assigned CVE CVE-2023-31209.

Changes: This Werk adds proper sanitization of the affected parameter on core commands.

To the list of all Werks